CompTIA Security+ Cryptography and PKI: Free Practice Questions + Study Guide
In This Guide
What is Cryptography?
Cryptography is the science of securing information by transforming it into an unreadable format that can only be reversed by authorized parties. It is one of the foundational pillars of modern cybersecurity, providing four critical services: confidentiality (ensuring only authorized parties can read the data), integrity (verifying data has not been altered), authentication (confirming the identity of communicating parties), and non-repudiation (preventing a sender from denying they sent a message).
Cryptography has evolved from ancient ciphers - such as the Caesar cipher used by Julius Caesar to encode military messages - to the sophisticated mathematical algorithms that protect trillions of dollars in digital transactions every day. In modern networks, cryptographic protocols like TLS, IPsec, and SSH are essential for securing communications, while cryptographic primitives like encryption, hashing, and digital signatures form the backbone of trust on the internet. The CompTIA Security+ certification tests your ability to select, implement, and troubleshoot these cryptographic solutions across real-world scenarios.
Symmetric vs Asymmetric Encryption
Encryption is the process of converting plaintext into ciphertext using an algorithm and a key. The two fundamental categories of encryption differ in how keys are managed and used.
Symmetric encryption uses a single shared key for both encryption and decryption. Because both parties must possess the same secret key, the primary challenge is key distribution - how do you securely share the key without it being intercepted? Despite this limitation, symmetric encryption is extremely fast and efficient, making it ideal for encrypting large volumes of data. Common symmetric algorithms include:
- AES (Advanced Encryption Standard) - the current gold standard, supporting 128, 192, and 256-bit keys; adopted by the U.S. government and widely used globally
- DES (Data Encryption Standard) - a legacy 56-bit algorithm now considered insecure due to its short key length
- 3DES (Triple DES) - applies DES three times with different keys for 168-bit effective security; being phased out in favor of AES
- Blowfish - a fast block cipher with variable key lengths up to 448 bits, largely replaced by its successor Twofish
- ChaCha20 - a modern stream cipher used in TLS 1.3 and WireGuard VPN, known for excellent performance on mobile devices
Asymmetric encryption (public-key cryptography) uses a mathematically related key pair: a public key that can be freely distributed and a private key that must be kept secret. Data encrypted with the public key can only be decrypted with the corresponding private key, and vice versa. This elegantly solves the key distribution problem but is significantly slower than symmetric encryption. Key asymmetric algorithms include:
- RSA (Rivest-Shamir-Adleman) - the most widely deployed asymmetric algorithm, used for key exchange, digital signatures, and encryption; typical key sizes are 2048 or 4096 bits
- ECC (Elliptic Curve Cryptography) - provides equivalent security to RSA with much smaller key sizes (256-bit ECC approximates 3072-bit RSA), making it ideal for mobile and IoT devices
- Diffie-Hellman (DH) - a key exchange protocol that allows two parties to establish a shared secret over an insecure channel; not used for encryption directly but for securely exchanging symmetric keys
| Algorithm | Type | Key Size | Speed | Use Case |
|---|---|---|---|---|
| AES-256 | Symmetric | 256-bit | Fast | Bulk data encryption |
| RSA | Asymmetric | 2048-4096 bit | Slow | Key exchange, digital signatures |
| ECC | Asymmetric | 256-384 bit | Moderate | Mobile/IoT, TLS |
Hashing Algorithms
A hash function is a one-way mathematical algorithm that takes an input of any size and produces a fixed-length output (the hash value or digest). Unlike encryption, hashing is irreversible - you cannot derive the original data from its hash. Even a single-bit change in the input produces a completely different hash, a property known as the avalanche effect. This makes hashing essential for verifying data integrity.
Common hashing algorithms and their status:
- MD5 - produces a 128-bit hash; considered cryptographically broken due to collision vulnerabilities (two different inputs producing the same hash); should not be used for security purposes
- SHA-1 - produces a 160-bit hash; officially deprecated since 2017 after practical collision attacks were demonstrated; still found in legacy systems but should be replaced
- SHA-256 - part of the SHA-2 family; produces a 256-bit hash and is the current standard for most security applications including TLS certificates and blockchain
HMAC (Hash-based Message Authentication Code) combines a hash function with a secret key to provide both integrity verification and authentication. Unlike a plain hash, HMAC ensures that only parties with the shared secret key can generate or verify the code, protecting against both accidental modification and deliberate tampering.
For password storage, standard hash functions like SHA-256 are too fast - an attacker can compute billions of hashes per second in a brute-force attack. Instead, purpose-built password hashing algorithms are used:
- bcrypt - incorporates a configurable work factor (cost) that makes hashing deliberately slow; widely used and well-tested
- PBKDF2 (Password-Based Key Derivation Function 2) - applies a hash function thousands of times with a salt; recommended by NIST
- Argon2 - the most modern option; winner of the Password Hashing Competition; designed to be resistant to both GPU and ASIC-based attacks by requiring significant memory
For the complete list of testable algorithms and their classifications, refer to the official Security+ exam objectives.
Digital Certificates and PKI
Public Key Infrastructure (PKI) is the framework of policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. PKI establishes a chain of trust that enables secure communication between parties who have never met, forming the foundation of secure web browsing, email encryption, and code signing.
At the center of PKI is the Certificate Authority (CA), a trusted third party that issues and signs digital certificates. The CA hierarchy typically includes:
- Root CA - the top-level authority; its certificate is self-signed and must be inherently trusted; usually kept offline to protect its private key
- Intermediate CA (Subordinate CA) - issues certificates on behalf of the root CA; provides a layer of separation so the root CA's private key is never exposed during day-to-day operations
- Registration Authority (RA) - verifies the identity of certificate requestors before the CA issues a certificate; handles the administrative verification process
A digital certificate follows the X.509 standard and contains key fields:
- Subject - the entity the certificate identifies (e.g., a domain name or organization)
- Issuer - the CA that signed and issued the certificate
- Public key - the subject's public key, bound to their identity by the CA's signature
- Validity period - the start and expiration dates during which the certificate is considered valid
- Serial number - a unique identifier assigned by the CA
- Digital signature - the CA's cryptographic signature verifying the certificate's authenticity
The certificate lifecycle follows a defined process: a subject generates a key pair and submits a Certificate Signing Request (CSR) to the CA; the CA verifies the request and issues the signed certificate; the certificate is used for its intended purpose (e.g., HTTPS); and eventually the certificate either expires naturally or is revoked if compromised.
Two mechanisms exist for checking whether a certificate has been revoked:
- CRL (Certificate Revocation List) - a periodically published list of revoked certificate serial numbers; the client downloads and checks the entire list
- OCSP (Online Certificate Status Protocol) - a real-time protocol where the client queries the CA about a specific certificate's status; faster and more efficient than CRLs
Finally, understand the distinction between self-signed certificates (signed by the entity itself, not a trusted CA - suitable for internal testing but not trusted by browsers) and CA-signed certificates (signed by a trusted CA and automatically trusted by browsers and operating systems through the pre-installed root certificate store).
Cryptographic Use Cases
Understanding when and how cryptographic solutions are applied is just as important as knowing the algorithms themselves. The Security+ exam frequently presents scenarios where you must identify the correct cryptographic implementation.
- TLS/SSL for web traffic - Transport Layer Security (the successor to SSL) secures HTTPS connections using a hybrid approach: asymmetric encryption establishes the session, then symmetric encryption (typically AES) handles bulk data transfer. TLS 1.3 is the current standard, offering improved speed and security by removing legacy cipher suites.
- VPN (IPsec, IKE) - Virtual Private Networks use IPsec to encrypt traffic between sites or remote users. Internet Key Exchange (IKE) negotiates the security association and exchanges symmetric keys. IPsec operates in two modes: transport mode (encrypts payload only) and tunnel mode (encrypts the entire packet, including headers).
- Code signing - developers use their private key to digitally sign software. The recipient verifies the signature using the developer's public key, confirming the software has not been tampered with and was published by the claimed author. This is critical for operating system updates, driver installations, and mobile app distribution.
- Email encryption (S/MIME, PGP) - S/MIME uses X.509 certificates and a CA-based trust model, while PGP uses a decentralized "web of trust" model. Both provide encryption (confidentiality) and digital signatures (integrity and authentication) for email messages.
- Disk encryption (BitLocker, LUKS) - full disk encryption protects data at rest by encrypting the entire storage volume. BitLocker (Windows) can integrate with TPM hardware for key protection. LUKS (Linux Unified Key Setup) provides full-disk encryption for Linux systems. Both typically use AES-256 for the actual encryption.
Get the Complete Security+ Study Guide
When you purchase a Security+ practice exam, you get full access to our comprehensive study guides covering every exam topic in depth - not just the free samples here.
Want to go deeper?
CompTIA Security+ Cryptography and PKI Practice Questions
Test your understanding with these 5 expert-created questions. Each includes a detailed explanation to reinforce your learning.
Ready for More?
You've just covered Cryptography and PKI. Here's how to keep preparing for your CompTIA Security+:
Frequently Asked Questions
Is cryptography heavily tested on the Security+ exam?
Yes, cryptography is a significant topic on the CompTIA Security+ SY0-701 exam. Cryptographic concepts appear across multiple domains, most notably Domain 1: General Security Concepts (12%) and Domain 3: Security Architecture (18%). You should expect questions on symmetric vs asymmetric encryption, hashing algorithms, digital certificates, PKI infrastructure, and cryptographic use cases such as TLS, VPNs, and code signing. Both multiple-choice and performance-based questions may test your understanding of when and how to apply specific cryptographic solutions.
What's the difference between encryption and hashing?
Encryption is a two-way process - data is encrypted with a key and can be decrypted back to its original form using the appropriate key (symmetric uses one key, asymmetric uses a key pair). Hashing is a one-way process - it transforms data into a fixed-length hash value that cannot be reversed back to the original data. Encryption is used for confidentiality (protecting data in transit or at rest), while hashing is used for integrity verification (ensuring data has not been modified) and password storage. A critical distinction: if you need to recover the original data, use encryption. If you only need to verify data hasn't changed, use hashing.
Do I need to memorize key sizes for the Security+ exam?
You should know the commonly tested key sizes and their associations. For the SY0-701 exam, focus on: AES supports 128, 192, and 256-bit keys (256-bit is the strongest); RSA typically uses 2048 or 4096-bit keys; ECC uses smaller key sizes (256-384 bit) while providing equivalent security to much larger RSA keys; SHA-256 produces a 256-bit hash. You don't need to memorize every possible key size, but you should understand the relative strength comparisons and know which algorithms are considered secure versus deprecated (e.g., DES with 56-bit keys and MD5 with 128-bit output are both considered insecure).
What is the difference between symmetric and asymmetric encryption?
Symmetric encryption uses a single shared key for both encryption and decryption. It is fast and efficient for encrypting large amounts of data, but the key must be securely shared between parties. Examples include AES, DES, 3DES, and ChaCha20. Asymmetric encryption uses a key pair - a public key (shared openly) and a private key (kept secret). Data encrypted with the public key can only be decrypted with the private key, and vice versa. It is slower than symmetric encryption but solves the key distribution problem. Examples include RSA, ECC, and Diffie-Hellman. In practice, both are used together: asymmetric encryption securely exchanges a symmetric session key, which then encrypts the actual data (as in TLS).